Making WordPress.org

Opened 4 years ago

Closed 3 years ago

#5689 closed defect (bug) (fixed)

Plugin Directory: Banned Users should not be able to upload plugins

Reported by: ipstenu's profile Ipstenu Owned by: dd32's profile dd32
Milestone: Priority: normal
Component: Login & Authentication Keywords:
Cc:

Description

#5575 is broken and banned users can still upload plugins.

It may be that #4691 does not seem to be properly logging them out?

Change History (5)

#1 @dd32
4 years ago

  • Component changed from General to Login & Authentication
  • Owner set to dd32
  • Status changed from new to accepted

This is still very odd, a user blocked two months ago should not have been able to have an active logged in session, regardless of whether their password was reset or not. The user was banned prior to #4691 so I'm pondering if it's a stale cache being used?

I'm not entirely sure how or what is happening here, but a blocked user having an active session is far more serious than just being able to submit plugins..

I've added a super-ban-hammer on the determine_current_user filter to absolutely block a blocked user ever having an active session in r17146-dotorg & r17147-dotorg.

Let's see how that goes, it really shouldn't have been needed, but if this doesn't fix it...
(If only I could ask a banned user as to how they bypassed it...)

#2 follow-up: @Ipstenu
4 years ago

FWIW the user that brought this up (again) was banned two weeks ago, so after the change, which makes even less sense.

#3 in reply to: ↑ 2 @dd32
4 years ago

Replying to Ipstenu:

FWIW the user that brought this up (again) was banned two weeks ago, so after the change, which makes even less sense.

That makes even less sense...

I was basing my reply off the last banned user that I could see who submitted 2 plugins after their ban date, whom you force reset the password for, who was banned on 2020-02-02 and submitted plugins on 2020-04-01 & 2020-04-04.

Version 0, edited 4 years ago by dd32 (next)

This ticket was mentioned in Slack in #meta by tellyworth. View the logs.


4 years ago

#5 @dd32
3 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

This has finally been resolved.

Note: See TracTickets for help on using tickets.